The krb5.conf generated during net ads join and weak enc types

Richard Sharpe realrichardsharpe at gmail.com
Tue Jun 16 20:49:44 MDT 2015


On Tue, Jun 16, 2015 at 4:29 PM, Simo <simo at samba.org> wrote:
> On Tue, 2015-06-16 at 12:00 -0700, Jeremy Allison wrote:
>> On Tue, Jun 16, 2015 at 11:46:01AM -0700, Richard Sharpe wrote:
>> > Hi folks,
>> >
>> > Our paranoid security folks are saying that we must only allow the use
>> > of the enctypes aes256-cts-hmac-sha1-96 and aes128-cts-hmac-sha1-96.
>> >
>> > I notice that the krb5.conf file generated during net ads join
>> > includes some other, weaker, enc_types like RC4-HMAC, DES-CBC-CRC, etc
>> > and they suggest that we should remove them from the generated
>> > krb5.conf.
>>
>> Sounds good to me - do you want to log a bug so
>> we can track this ?
>
> Yes please, this is harder than you may think.(And generating files
> stink in the first place, why do we still need that ?)

1. I can submit a patch to remove them.

2. Yes, why do we still need that? If the user has a bad, default
krb5.conf then things will not work, but maybe they need to learn to
get rid of the krb5.conf file or get rid of the entries that disallow
using DNS for KDC and Domain lookup. Maybe we need to document that.

>> > However, I notice that on the platform we are using, CentOS 6.x, the
>> > default in the [libdefaults] section of krb5.conf is
>> > 'allow_weak_crypto = false' so these should be weeded out anyway
>> > shouldn't they unless we are silly enough to explicitly set it to
>> > true?
>>
>> Not sure, but it really shouldn't hurt to remove
>> them. RC4 and DES are dead and starting to smell
>> really bad :-).
>
> RC4 is not weed out by allow_weak_crypto = false, and also it may be
> necessary in some old (2003) Domains, which is why it was added I guess.

OK, so maybe we need a way to generate a krb5.conf and allow RC4 if
they need to join W2K03. Another smb.conf parameter?

-- 
Regards,
Richard Sharpe
(何以解憂?唯有杜康。--曹操)


More information about the samba-technical mailing list